Security Checks Simplified: How to Implement Best Practices with Ease

Many organizations are confronted with multiple issues flagged by security tools; are you struggling with security remediation? If so, this talk is for you.   

We will discuss the OpenSSF Scorecard, a tool that tells us how well a code repository follows essential security best practices related to code vulnerabilities, maintenance, continuous testing, and minimising source and build risk. We will discuss what the tool measures, why it is necessary, and the steps involved in getting a good score.  

We will then discuss how automation and tooling can streamline and simplify the process of applying these best practices. We will introduce an open-source project, Secure-Repo, that aims to automate security remediation tasks. This tool can help developers address security issues flagged by OpenSSF Scorecard.  

At the end of this talk, you will better understand how to apply best practices to improve the security of your code repository using automation and tooling.


Speaker

Varun Sharma

CEO and Co-Founder @Step_Security

Varun Sharma is the CEO and co-founder of StepSecurity, an open-core startup that empowers developers to defend against software supply chain attacks by automating security best practices.

He was formerly a Principal Security Software Engineering Manager at Microsoft, where he led the Green Team with a charter to solve high-risk, systemic security issues for Microsoft Azure.

Varun has over 15 years of security experience and an MSc in Information Security from Royal Holloway, University of London.

Read more

Date

Monday Mar 27 / 10:35AM BST ( 50 minutes )

Location

Windsor (5th Fl.)

Topics

security repository best practices security remediation automation tooling open source

Share

From the same track

Session cloud

How to Build a Successful Cloud Capability on a Heavy Regulated Organization

Monday Mar 27 / 11:50AM BST

On KPMG, working in a highly regulated industry ourselves, we know and feel the pain of enabling innovation and teams to do what they do best.

Speaker image - Ana Sirvent

Ana Sirvent

Principal DevOps Engineer @KPMG UK

Session automation

Getting Developers into F1 Driver Seats with Security?

Monday Mar 27 / 05:25PM BST

At Virgin Media O2, we are in a race of digital transformation which requires many different types of skillsets and people. This resulted in waves of hiring new blood, contractors and skilling up existing engineers/developers.

Speaker image - Henry Tze

Henry Tze

Lead Cloud Security Engineer @Virgin Media O2

Session

Panel: Building Security in Earlier

Monday Mar 27 / 04:10PM BST

Software security is an essential aspect of any digital product, yet it is often neglected until the late stages of the development lifecycle. This approach leaves organizations vulnerable to cyberattacks, which can result in costly data breaches, reputational damage, and legal liabilities.

Speaker image - Ana Sirvent

Ana Sirvent

Principal DevOps Engineer @KPMG UK

Speaker image - Josh Grossman

Josh Grossman

Application Security Consultant & CTO @BounceSecurity

Speaker image - Varun Sharma

Varun Sharma

CEO and Co-Founder @Step_Security

Speaker image - Henry Tze

Henry Tze

Lead Cloud Security Engineer @Virgin Media O2

Session security

Sustainable Security Requirements with the ASVS

Monday Mar 27 / 01:40PM BST

Shift left? Spread left? Regardless of terminology, we want to be thinking about security earlier on in the development lifecycle. Ideally whilst we are still gathering the business requirements.

Speaker image - Josh Grossman

Josh Grossman

Application Security Consultant & CTO @BounceSecurity

Session

Unconference: Building Security in Earlier

Monday Mar 27 / 02:55PM BST

What is an unconference? An unconference is a participant-driven meeting. Attendees come together, bringing their challenges and relying on the experience and know-how of their peers for solutions.

Speaker image - Shane Hastie

Shane Hastie

Global Delivery Lead @SoftEd, Lead Editor for Culture & Methods @InfoQ